Wireless Security the TJ MAXX Story

Cyber-thieves using a telescoping wireless antenna to intercept payment information may be responsible for the "biggest data breach ever," investigators theorize.Related Links Ring Charged with Hacking Major U.S. Retailers.

The Wall Street Journal reported that hackers in St. Paul, Minnesota, parked outside a Marshalls' department store and used the antenna to decode data between hand-held payment scanners, enabling them to break into parent company TJX's database and make off with credit and debit card records of nearly 47 million customers.

Drive-by hacking, or "wardriving," was the first major threat to Internet access over wireless connections. Wardrivers drive by or park near Wi-Fi hotspots or open networks and use various means to siphon off data from unsuspecting users.

The TJX network was alleged to have less wireless network security protection than the networks of many home users. The hackers are believed to have had access to the network for as long as two years, going back to at least July 2005.

TJX was also alleged to be using the older Wireless Equivalent Privacy (WEP) protocol for its network, which has been largely discredited for the ease with which it can be broken. Security researchers in Germany recently published a paper documenting how WEP can be broken in as little as 60 seconds.

Most security experts recommend upgrading to the stronger Wi-Fi Protected Access (WPA) protocol, but TJX was apparently slow to adopt the new system.

Although TJX refused to comment on the wardriving allegations, the company previously acknowledged that it failed to meet security procedures mandated by the credit card industry. The company admitted to transferring credit card payment information to banks without any sort of encryption, making it easier for the wardrivers to pick up the information as they surfed the TJX network.

The hackers then most likely sold the purloined customer data in the underground economy" of black-market chats that specialize in the trading and selling of personal information. Data connected to the TJX breach turned up in a Florida fraud case involving credit cards "cloned" with the stolen personal information.

The fraudsters then used the clone cards to purchase gift cards from Wal-Mart, which they then redeemed for thousands of dollars in high-priced merchandise.

Although the TJX corporation claims its strong first-quarter sales numbers show that its shoppers don't care about the data breach, the company is still fending off numerous lawsuits from state Attorneys General and class-actions from irate customers.

Most recently, a coalition of banks in Massachusetts, Colorado, and Maine filed suit against TJX for forcing them to absorb the costs of canceling and reissuing thousands of credit and debit cards exposed in the breach.

The TJX breach has also spurred numerous bills in Congress to mandate stronger data security standards for both government agencies and private companies, and to ensure affected individuals are notified if a breach occurs.